Maybe I’m a paranoid cynic – I’ve been called worse- but I’ve never felt entirely comfortable with valet parking. Maybe too many movies where the car experienced severe trauma on it’s way to the garage; and I certainly would not hand a stranger the keys to my house when I’m on vacation. And yet senior management at organizations such as the NSA and many other government and commercial enterprises, seem to have no difficulty in handing strangers access to their livelihoods, and national security.
What the NSA has woken up to is that you cannot trust people, regardless of whether like Manning they’re one of your own, or Snowden who happily sold his heritage for a “mess of pottage” which in today’s world means one of the many global news stations and sites.
The fascinating thing with both these characters is not that they’re hacking geniuses, which I’m certain Edward’s new employers in Moscow are discovering, but that a lack of effective automated controls, allowed them to abuse their privileges. A five year can access sensitive data if they have the key.
The first clear step that the NSA has identified is the need to regain control, and rightly so. Today, like never before infrastructure and businesses are under attack. And they first point of attack is to attempt to gain privileged access to any part of an infrastructure. Once this is obtained, then the attacker will target any and all assets, regardless of their value.
To combat this threat, organizations need to automate the management of their privileged access, and this goes far beyond simply controlling an administrative account. Even in a relatively small infrastructure, there will be an inordinate amount of service accounts that have to be continually discovered, managed, propagated, and delegated access to. Service accounts cover services, tasks, COM/DCOM, SharePoint, scripts, embedded, etc..
Continual discovery cannot be emphasized enough. Once anyone is given administrative access to a system, it becomes a very simple task to create additional accounts that can later be used as back doors. Installing applications, or modifying system registries are also relatively easy ways to create backdoors. Continuous monitoring is absolutely essential. Additionally identifying accounts on systems is not sufficient. As the saying goes “garbage in garbage out”, also applies to managing privileged accounts. For example identifying how many accounts are defined, and removing unnecessary or unused accounts is a first basic step to ensure that potential backdoors are eliminated.
When it comes to privileged accounts, an organization can never completely expect to automate all processes, and it is necessary to implement rigorous password and key management. Automated one time passwords, including automated splitting of passwords to provide “four eyes” access controls is simply no longer an option. It is a must have in any large organization that deals with sensitive data.
Today we face unprecedented attacks on a scale never imagined five years ago. According to Mike Rogers of the US Federal Government’s House Intelligence Committee, “They’re taking blueprints back, not just military documents, but civilian innovation that companies are gonna use to create production lines to build things. They’re stealing that, repurposing it back in nations like China, and competing in the international market.”
We are not one global happy family befriending all and sundry on Facebook and Twitter. We are targets in a war between powerful and aspiring empires, both in the commercial and international sphere. We have enemies who are ingenious and are determined to win, and we must learn as quickly as possible how to protect and defend what we have worked so hard to create.